PingIDM Security Advisory #202402
A security vulnerability has been discovered in supported versions of PingIDM (formerly known as ForgeRock Identity Management). This vulnerability affects all supported versions and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.
Advanced Identity Cloud customers
This security advisory only applies to software deployments of PingIDM. All relevant patches from this advisory have already been applied to the PingOne Advanced Identity Cloud (formerly known as ForgeRock Identity Cloud).
August 1, 2024
The severity of the issue in this advisory is Low.
Note
The recommendation is to apply the relevant patch to mitigate this issue.
Details about this vulnerability are deliberately kept to a minimum to protect your deployments and prevent someone from trying to exploit them in the field.
You can download patches from Backstage for the following versions:
See How do I install a PingIDM patch supplied by Ping support? for further information on deploying the patch. If you are using previous versions, please raise a ticket to obtain an updated patch.
Issue #202402 (CVE-2024-23600)
| Affected versions | 7.0.2, 7.1.3, 7.2, 7.3, 7.4, 7.5 (and older unsupported versions) |
|---|---|
| Fixed versions | Apply the relevant patch |
| Component | Core Server |
| Severity | low (2.7) |
Description:
An Improper Input Validation (CWE-20) weakness in the Query filter search option of PingIDM may allow private user fields to be brute-forced; this could lead to unintended information disclosure.
Mitigation:
None
Resolution:
Apply the relevant patch.
See Also
Acknowledgments
Ksandros Apostoli, SEC Consult Vulnerability Lab
Miguel García Martín, SEC Consult Vulnerability Lab
Change Log
The following table tracks changes to the security advisory:
| Date | Description |
|---|---|
| August 1, 2024 | Initial release |